The fund_distribution function does not enforce authorization, thereby allowing anyone to call it as long as its input parameters are valid.
After thorough analysis, Coinspect could not determine a risky scenario where this lack of authorization can be abused as long as the curve max_complexity is kept relatively low. This will prevent an adversary from filling up the DataKey storage space.
Recommendation
Unless otherwise necessary, consider allowing only the contract owner or manager to call this function.
Description
The
fund_distributionfunction does not enforce authorization, thereby allowing anyone to call it as long as its input parameters are valid. After thorough analysis, Coinspect could not determine a risky scenario where this lack of authorization can be abused as long as the curvemax_complexityis kept relatively low. This will prevent an adversary from filling up theDataKeystorage space.Recommendation Unless otherwise necessary, consider allowing only the contract owner or manager to call this function.